How to audit API step by step
API is an important software intermediary that enables the communication between two applications. It provides software flexibility, simplifies the designing process, and eases the management. When it comes to the software ecosystem, everything needs to keep up with the highest standards, because a well-planned ecosystem gives high comfort of using the services. The most effective way to recommend improvements is strong expertise. Read on to know how we conducted API and documentation audit step by step.
API and documentation audit
At first we decided to carry on the audit in a blackbox way of testing. It means that we didn’t have any access to the code or internal documentation. We based the audit mostly on the materials available on the website. At this stage, it was impossible to estimate the percentage coverage of our audit versus all of the API methods. Later, by gaining source code access, we were able to effectively prepare specifications of all controllers, APIs, and methods, as well as an audit plan. We classified errors and problems in the following categories:
- missing information
- bad documentation structure
- API usability
- design not following standards
- mistakes and misspellings
- backend error
The audit team found approximately 21 issues that are listed in the table below.
The last factor we paid attention to while conducting the audit was the overall impression of developers who worked with the API.
API audit: step by step
The most common conceptual visualization of the CI/CD process (also during API building) looks like this one below:
The disadvantage of this solution is the lack of a seamless transition from the API project and new functions to automatic tests, or the generation of documentation, examples in different languages, etc. Additionally, launching an interactive and very extensive documentation without automatic connection with the project or code will increase its costs. Installing each version will require a costly identification of potential code snippets that need to be changed. Therefore, we recommend the following project approach.
Step 1: API source code analysis, internal documentation, and API audit plan execution
The API audit plan contained the following content:
- Preparation of an API business and system analysis document and related products (documentation, examples, API notation).
- Preparation of a semantic API description in the so-called high-level API description language. Note that in addition to the API specification, this task will also include the edition and transformation of static documentation items.
- Selection of available tools (or creation of dedicated scripts) and their configuration to enable the connection with the API specification (see above) and CI/CD in such a way as to automate code/specification compliance validation, generating interactive documentation and automated tests. When the code changes, documentation changes as well, and automatic tests are carried out to demonstrate the compliance of documentation and API.
Below are the modifications to the CI/CD process with new elements that automate validation, tests, and creating interactive documentation. These actions not only improve and tighten up the process – automation affects the pace of implementing new features.
Step 2: API improvement
In the second step, we refer to the use of tools that change the input and output definitions at the parameter name level without changing the business logic. There are 2 possibilities: target or transition version. We can implement API improvement at the code level (target) or at the additional layer level (translator/dispatcher).
Step 3: Developer Center
At this stage, we created a detailed project (UX, technical SEO analysis) of a coherent Developer Center. Then we built a new Developer Center.
How to make API testing easier
We chose 5 methods for the tests and described them using the meta language. In accordance with the chosen concept, we will be able to include the documentation and API compliance validation, automatic tests or interactive documentation in the CI/CD process. For this purpose, we used:
- API Blueprint (high level API description language for web API’s),
- Apiary (as an API Blueprint online editor to create interactive documentation),
- Dredd for testing (a language-agnostic command-line tool for validating API description document against backend implementation of the API).
1. API Blueprint
API Blueprint is a high level language for describing web APIs. The syntax is a combination of Markdown and MSON, and the files are saved with a .apib extension. Markdown is a lightweight text formatting syntax, and MSON is its extension used for describing data objects. The goal of the API Blueprint format is to enable the design-first philosophy for REST APIs, however, the format works just as well for documenting existing APIs.
2. Interactive documentation (Apiary)
Apiary is an interesting tool that allows us to easily and quickly design an API. While waiting for an endpoint for our application, we can prepare and use appropriate actions ourselves and our development won’t stand still. With this tool, we can simply exchange knowledge within the team, present the requirements for the expected server responses, and prepare interactive documentation. This allows us to easily show the other part of the team how our endpoint should work. The only downside of the free version is the ever-growing project document, where scrolling through our Blueprint can be troublesome with more complicated actions. Nevertheless, we’re happy to use this tool for smaller purposes and encourage everyone to familiarize yourselves with it.
The screenshot below presents the main view of the documentation.
The panel on the left is a Table of Contents, which includes 3 chapters:
- Introduction (contains quickstart),
- Reference (API),
- Data Structures (object description).
The Introduction section contains the information about how to set up everything to be able to use API – for example, how to authenticate or register to the system. The Reference section contains actual definitions of all the resources available in the API. Each object has its own section which includes a set of links to each method definition. The Data Structures section contains a list of all objects that are part of the API and their definitions, like parameters and types.
The screenshot below presents the main documentation view with an opened call method details and Try console panel. It shows the URL, URI parameters with description, headers for request and headers, example body, and scheme for response.
The screenshot below presents the Try console panel which offers an opportunity to test API directly from the documentation. It allows us to put in custom parameters, header and body, and create fully customized request to the server. We can also call methods through mocked endpoints, which allows us to inspect all the traffic around the API.
3. Automated API tests (Dredd)
Dredd reads API description and step by step validates whether API implementation replies with responses as they are described in the documentation.
The screenshot below present Dredd test results in a more readable form. They contain reports for all method calls with errors (if they occurred), any inconsistencies in the request or responses, and other valuable information which can help investigate problems with the API. Dredd can be also connected with any CI/CD tool which runs tests automatically when any changes are applied to the code.
API audit: the most important
Documentation is an essential part of any API. Without it, it is extremely difficult to find out what endpoints are available, what they are for and what parameters we can use. Such interactive documentation allows us not only to view the available endpoints, their parameters or schemes of returned values but also allows us to try them out. This is useful not only for finding the certain resource but also for calling it on request, which often turns out to be useful during development.
If you’d like to learn more about API audit, API Services or DevOps processes, check our website or read our blog: